Xero Data Processing Addendum

Last updated on 11 February 2025

This Data Processing Addendum (the Addendum) forms part of the Xero terms of use (and any related documentation), as amended from time to time (the Agreement), between you (the Customer) and Xero. All capitalised terms not defined in this Addendum have the meaning set out in the Agreement.

Part A: General data protection terms

Part A (General Data Protection Terms) of this Addendum applies whenever Xero processes Personal Data as a Processor (or sub-Processor) on behalf of the Customer. Xero and the Customer must always comply with this Part A.

In addition, certain additional region-specific terms may apply to the processing in the circumstances described in Part B (Additional Region-Specific Terms). Xero and the Customer must also comply with Part B, where it applies.

To the extent of any conflict between: (a) this Addendum and the Xero Terms of Use, this Addendum will prevail, and (b) Part A and Part B of this Addendum, Part B will prevail.

1. Data Protection

1.1 Definitions

In this Addendum, the following terms have the following meanings:

(a) Applicable Data Protection Law means all privacy and data protection laws which apply to the processing of Personal Data pursuant to the Agreement and this Addendum.

(b) Controller means: (a) the natural or legal person which determines the purposes and means of the processing of Personal Data; and (b) any natural or legal person who is a “controller”, “business” or substantially similar concept under Applicable Data Protection Law.

(c) Customer has the same meaning as “subscriber” in the Agreement.

(d) Data Subject means: (a) a natural person; and (b) any natural person who is a “data subject”, “consumer” or substantially similar concept under Applicable Data Protection Law.

(e) Personal Data means: (a) any information about a Data Subject; and (b) any information that is “personal data”, “personal information”, “personally identifiable information” or substantially similar concept under Applicable Data Protection Law.

(f) Processor means: (a) a natural or legal person which processes Personal Data on behalf of the Controller; and (b) any natural or legal person who is a “processor”, “service provider” or substantially similar concept under Applicable Data Protection Law.

(g) Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

1.2 Relationship of the parties

(a) The Customer appoints Xero to process Personal Data on its behalf and in accordance with its documented instructions.

(b) Accordingly, the Customer is the Controller of the Personal Data that is the subject of the Agreement and this Addendum and Xero is the Processor (except where the Customer is a Processor of the Personal Data on behalf of a third-party Controller, in which case Customer is a Processor and Xero is the Customer’s sub-Processor).

(c) The Customer’s processing instructions are set out in full in the Agreement, including this Addendum. If the Customer wishes to change its processing instructions, it must agree this in writing with Xero.

(d) Specifically, the Customer instructs Xero to process the categories of Personal Data (the Data) for the purposes (the Permitted Purpose) set out in Annex B (Data Processing Schedule).

(e) If the Customer uses or integrates any third-party service to Xero’s services (such as an app from the Xero App Store), any processing of Data by that third-party service will be governed by that third-party’s privacy notice and/or data processing terms, and not by this Addendum.

(f) Each party must comply with the obligations that apply to it under Applicable Data Protection Law, and any applicable additional region-specific terms set out in Part B to this Addendum. If the Customer is a Processor on behalf of a third-party Controller, the Customer will ensure that its instructions to Xero described in this Addendum align with the instructions of that third-party Controller.

1.3 Responsibilities of the Customer

As Controller, the Customer must ensure that it (or, where Customer is a Processor, the relevant third-party Controller) has provided all required transparency, and has all necessary rights and permissions under Applicable Data Protection Law for Xero to process the Data for the Permitted Purpose.

1.4 Confidentiality

Xero will ensure that any person it authorises to process the Data will be subject to a duty of confidence that aligns with Xero’s confidentiality obligations under the Agreement.

1.5 Security

(a) Xero will maintain for the duration of the Agreement appropriate technical and organisational measures to protect the Data against a Security Incident. Such measures shall include the measures in Annex A.

(b) Xero may amend its technical and organisational security measures from time to time, as it considers necessary to provide appropriate protection for the Data in light of evolving industry practices, new technologies and emerging cyberthreats. Any such amendments will not diminish the overall security of Xero’s processing.

(c) The Customer acknowledges it is also responsible for maintaining appropriate technical and organisational security measures for the Data it processes and instructs Xero to process on its behalf. Such measures shall include maintaining security over the access credentials it uses for Xero’s platform.

1.6 Subcontracting

The Customer authorises Xero to engage third-party sub-Processors to process the Data for the Permitted Purpose provided that:

(a) Xero provides the Customer with at least 30 days’ notice of any change(s) to its sub-Processors by updating its online sub-Processors page, in order to enable the Customer to raise objections to any proposed sub-Processor on data protection grounds;

(b) Xero imposes data protection terms on any sub-Processor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law and consistent with this Addendum; and

(c) Xero remains liable for any breach of this Addendum that is caused by its sub-Processor.

If the Customer objects on reasonable grounds relating to data protection within 14 days of receiving notice of Xero’s proposed appointment or replacement of a sub-Processor, Xero will discuss with the Customer whether it is possible to appoint or replace the sub-Processor in a way that resolves the Customer’s objection. If this is not possible, then:

(d) Xero may (in its sole discretion) choose either not to appoint or replace the sub-Processor, or to suspend or terminate the Agreement with one month’s written notice in accordance with the ‘Termination by Xero’ clause in the Agreement (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination); or

(e) Customer may choose to terminate the Agreement with one month’s written notice to Xero, in accordance with the ‘Termination by you’ clause in the Agreement.

1.7 Cooperation and Data Subjects’ rights

If the Customer cannot fulfil any requests it receives directly using existing functionality in the Xero platform, Xero will provide the Customer with such reasonable and timely information and assistance (at the Customer’s expense) as the Customer may require to enable the Customer to respond to:

(a) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law; and

(b) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with Xero’s processing of the Data to the extent the Customer is obligated to respond under Applicable Data Protection Law.

If any such request, correspondence, enquiry or complaint is made directly to Xero, Xero will advise the relevant person to contact the Customer directly and promptly inform the Customer and provide it with full details (unless prohibited by applicable law).

1.8 Data Protection Impact Assessment

Xero will assist the Customer to conduct a data protection impact assessment and/or consult with its data protection supervisory authority if required by Applicable Data Protection Law by:

(a) providing information about the technical and organisational measures it maintains to protect the Data in Annex A to this Addendum;

(b) providing the information contained in the Agreement and this Addendum; and

(c) if subclauses (a) and (b) above are insufficient for Customer to comply with its assessment or consultation obligations, Xero will provide Customer with additional reasonable assistance upon Customer’s request.

1.9 Security Incidents

If Xero becomes aware of a Security Incident, Xero will inform the Customer without undue delay using the contact details provided under the Customer’s Xero account, and will provide reasonable information and cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under Applicable Data Protection Law.

Xero will further take reasonably necessary measures to remedy or mitigate the effects of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident. Any notification or response to a Security Incident by Xero shall not be deemed an acknowledgement by Xero of any fault or liability regarding the incident.

1.10 Deletion or return of Data

Upon termination or expiry of the Agreement (or unless otherwise instructed by the Customer), Xero will retain a copy of the Data for a period of 7 years to allow the Customer to regain access to it in accordance with the ‘Retention of your data’ clause in the Agreement.

On expiry of this period (or sooner, if at the Customer’s request), Xero will delete or return the Data to the Customer (unless required by applicable law to retain some or all of the Data).

1.11 International data transfers

Neither party shall make an international transfer of Data that it processes pursuant to the Agreement and this Addendum unless it has first done all such things as are necessary to ensure that the transfer is compliant with Applicable Data Protection Law and any applicable region-specific terms set out in Part B to this Addendum.

Part B: Additional region-specific terms

Part B (Additional Region-Specific Terms) of this Addendum applies only where one or more of the specific Applicable Data Protection Laws described below apply to the Personal Data that Xero processes as a Processor (or Sub-Processor) on behalf of the Customer. In such circumstances, Xero and the Customer acknowledge that they must comply with the relevant terms set out in this Part B, which are necessary in the interests of both parties complying with the applicable Data Protection Laws. If applicable, this Part B applies in addition to the data protection terms set out in Part A (General Data Protection Terms).

2. United Kingdom, Switzerland and EEA

This Part B, clause 2 applies where and to the extent that European Data Protection Law applies to the processing of Data pursuant to the Agreement and this Addendum.

2.1 Definitions

In this Part B, clause 2, the following terms have the following meanings:

(a) European Data Protection Law means any and all of EU Data Protection Law, UK Data Protection Law and Swiss Data Protection Law.

(b) EU Data Protection Law means (i) EU Regulation 2016/679 (the "EU GDPR"); (ii) EU Directive 2002/58/EC; and (iii) the national laws of each EEA member state made under, pursuant to, or that implement (i) or (ii), or which otherwise relate to the processing of Personal Data; in each case, as amended or superseded from time to time.

(c) Restricted Transfer means (i) where the EU GDPR applies, a transfer of Personal Data to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an "EU Restricted Transfer"); (ii) where the UK GDPR applies, a transfer of Personal Data to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a "UK Restricted Transfer"); and (iii) where the Swiss DPA applies, a transfer of Personal Data to any other country which is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner or Federal Council (as applicable) (a "Swiss Restricted Transfer").

(d) Sensitive Data means: (i) Personal Data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of unique identification, data concerning a Data Subject’s health or data concerning a Data Subject’s sex life or sexual orientation; and (ii) any other Personal Data which is “special category data” under Applicable Data Protection Law.

(e) “Standard Contractual Clauses” means (i) where the EU GDPR or the Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under section 119A(1) of the DPA 2018 (“UK Addendum”).

(f) Swiss Data Protection Law means (i) the Swiss Federal Act on Data Protection of 25 September 2020 and its corresponding ordinances ("Swiss DPA"); and (ii) any other national laws in Switzerland applicable (in whole or in part) to the processing of Personal Data; in each case, as amended or superseded from time to time.

(g) UK Data Protection Law means (i) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as it continues to have effect under section 2 of the European Union (Withdrawal) Act 2018; (iii) the Data Protection Act 2018 (the "DPA 2018"); and (iv) any other laws in the UK made under, pursuant to, or that implement (i), (ii) or (iii), or which otherwise relate to the processing of Personal Data; in each case, as amended or superseded from time to time.

2.2 Restricted Transfers from Customer to Xero

To the extent that any transfer of Data from Customer to Xero is a Restricted Transfer, the Standard Contractual Clauses shall be incorporated into this Addendum and apply as follows:

(a) where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs will apply between Customer and Xero as follows:

(i) Module Two will apply (unless Customer is a Processor and Xero is a sub-Processor, in which case Module Three will apply);

(ii) in Clause 7, the optional docking Clause will apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-Processor changes shall be as set out in Part A, clause 1.6 of this Addendum;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(vii) in Annex I:

(A) Parts A and B shall be deemed completed with the information set out in Annex B to this Addendum;

(B) Part C shall be deemed completed in accordance with the criteria set out in Clause 13(a) of the EU SCCs;

(vii) Annex II shall be deemed completed with the security measures set out in Annex A to this Addendum; and

(b) where the Restricted Transfer is a UK Restricted Transfer, the UK Addendum will apply between Customer and Xero as follows:

(i) the EU SCCs, completed as set out above shall apply between Customer and Xero, and shall be modified by the UK Addendum (completed as set out in sub-clause (ii) below); and

(ii) tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options "Exporter" and "Importer" shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the date of the Agreement; and

(c) where the Restricted Transfer is a Swiss Restricted Transfer, the EU SCCs will apply between Customer and Xero as set out above with the following modifications:

(i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;

(ii) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;

(iii) references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law" (as applicable);

(iv) the term "member state" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);

(v) Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection and Information Commissioner;

(vi) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";

(vii) in Clause 17, the EU SCCs shall be governed by the laws of Switzerland.

2.3 Restricted Transfers by Xero

Xero will not make a Restricted Transfer of the Data to a recipient in another country unless it has done all such things as are necessary to ensure that the Restricted Transfer is compliant with European Data Protection Law. Such measures may include transferring the Data to a recipient in a country that is deemed to provide adequate protection for Personal Data under European Data Protection Law (for example, New Zealand) or to a recipient that has executed Standard Contractual Clauses with Xero in accordance with European Data Protection Law.

2.4 Customer instructions

Xero shall inform the Customer if it is unable to comply with the Customer’s processing instructions, including if, in its opinion, a processing instruction would infringe any European Data Protection Law.

2.5 Audit

The Customer acknowledges that Xero is regularly audited against SOC 2 and ISO/IEC 27001:2022 standards by an independent third-party auditor. Upon the Customer’s request, and subject to the confidentiality obligations set out in the Agreement, Xero will make available to the Customer or Customer’s independent, third-party auditor (provided that they or their independent, third-party auditor are not a competitor of Xero) a copy of Xero’s SOC 2 report in the same manner and form that Xero makes it generally available to customers.

Annex A – Security measures

The technical and organisational measures Xero has in place to protect Data are described in Xero’s SOC 2 report, which can be requested here, and on Xero’s security pages security at Xero and protect your data with multiple layers of security.

In addition, Xero is certified as compliant with ISO/IEC 27001:2022 which is globally recognised as the premier standard for information security management systems (ISMS).

Annex B – Data processing schedule

A. List of parties

Customer and Data exporter

  • Name: The Customer’s details are set out in the Agreement and/or available in their Xero account.
  • Address: The Customer’s details are set out in the Agreement and/or available in their Xero account.
  • Contact person’s name, position and contact details: The Customer’s details are set out in the Agreement and/or available in their Xero account.
  • Activities relevant to the data transferred under these Clauses: The receipt of data processing services as described in the Agreement and this Addendum.
  • Signature and date: This Addendum is deemed executed upon execution of the Agreement.
  • Role (controller/processor): Controller (unless the Customer is a Processor on behalf of a third-party Controller, in which case it shall be a Processor).

Processor and data importer

  • Name: See Xero’s details set out in the Agreement.
  • Address: See Xero’s details set out in the Agreement.
  • Contact person’s name, position and contact details: See Xero’s contact details in its privacy notice.
  • Activities relevant to the data transferred under these Clauses: As described in the Agreement and this Addendum.
  • Signature and date: This Addendum is deemed executed upon execution of the Agreement.
  • Role (controller/processor): Processor.

B. Description of processing and transfer

Categories of Data Subjects whose Personal Data is processed and transferred

The categories of data subjects include: suppliers/service providers of Customer, customers/clients of Customer, employees/contractors of Customer, and other contacts of the Customer.

Categories of Personal Data processed and transferred

The types of Personal Data processed include: names, addresses, contact details, identification details (for example, tax registration numbers), and other Personal Data types for use on the Xero platform.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

Not applicable, unless Customer submits Sensitive Data in its use of the services as described in the Agreement.

The frequency of the transfer (for example, whether the data is processed and transferred on a one-off or continuous basis)

Continuous for the duration of the Agreement.

Nature of the processing

As described in the Agreement and this Addendum.

Purpose(s) of the processing, transfer and further processing

As described in the Agreement and this Addendum.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement and up to 7 years following termination or expiry of the Agreement, as set out in Part A, Clause 1.10 of the Addendum.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are as set out above.

C. Competent Supervisory Authority

Competent supervisory authority where the EU GDPR applies

The competent EU supervisory authority shall be determined by reference to the place of establishment of the Customer in accordance with Clause 13 of the Standard Contractual Clauses.

Competent supervisory authority where the UK GDPR applies

The Information Commissioner’s Office.